Another eBay scam: Too good to be true.

Earlier this week SophosLabs was alerted to another potential eBay scam (see article on The Register). A high performance vehicle, included as a featured listing, and at a ridiculously low price had attracted suspicion.


Clicking on the item resulted in a rapid redirect to a remote (non-eBay) site. Looking through the eBay-hosted page identified the cause – an embedded Shockwave file (now detected as Troj/ReDir-A).


The Shockwave file (created with SWF Quicker), performs the redirect with a standard getURL(") directive.


The result is that the details page for the listing is loaded from a remote, Russian site.


As you can see, the page is crafted to look just like the official page, except that the embedded forms point to a mailto address, not back to eBay. Phishing for eBay credentials does not appear to the purpose of this scam – clicking on the ‘sign in’ link takes you back to the offical eBay sign-in page. Clearly the scammers are happy to abuse legitimate eBay sellers, typically those with good reputations. The seller listed in this scam was a power seller, normally associated with jewellery items.

Clicking on the bid or ‘buy it now’ buttons creates an email to the seller in the default email client, which generates a warning popup from Internet Explorer.


Looking through the root of the Russian site, it would appear this is not the first scam.


Just another demonstration of the dangers embedded Flash content can present (see previous blog about poisoned adverts). This is due to its support for ActionScript, a scripting language based on ECMAScript (i.e. akin to Javascript). Stricter input validation by eBay would have prevented users being able to embed Flash content in description pages.